Wednesday, April 5, 2017

Anyone who has searched PacketTotal.com has probably experienced frustration with finding relevant results. Up until this point creating specific queries was impossible because the field names displayed in the analysis console are not the same as those used on the backend. So running a search like Target IP: 8.8.8.8 simply would not work because "Target IP" exists as the field "id_resp_h" within ElasticSearch.

For example, you could craft a query to return results of PCAPs containing suspicious executables with the below query.

_type:pe AND os:*Windows* AND (section_names:*UPX* OR section_names:*TLS*)) OR alert_signature:*exe*

This particular query checks for PCAPs containing at least one Windows executable which contains UPX (common packer) OR TLS (common anti-debugging technique) section. It will also return results if the Alert Signature from Malicious Activity (signature_alerts) contains the keyword .exe.

We could craft another signature to look for command and control traffic over IRC.

(_type:irc AND NOT id_resp_h:6667) OR (_type:signature_alerts AND alert_signature:*irc*)

Notice, in this example we use a NOT operator to look for IRC traffic on a non-standard port.

The SearchBuilder interface is fairly intuitive. To get started, click the dropdown arrow directly below the search bar located on the search page.

Select a template from the templates dialog. This will populate all the fields available for search within the selected template. Due to the way the backend schema is designed you cannot AND fields from multiple templates together. For example combining fields for an HTTP specific URI AND a FTP specific target port will not work, as no one document will contain both of these fields. You could however, OR fields from multiple templates together without an issue.

The search terms dialog allows you to click any of the available terms, appending them to your search. By default the equals toggle is selected in the top right. This inserts quote characters around the placeholder, ensuring that only exact matches will be returned. You can toggle this option to use contains, which will insert asterisks on both sides of the placeholder. Toggling contains will look for any PCAP which has a field containing the text between the asterisks.

Finally, the search operators dialog provides a quick way of adding aggregation and negation logic into your query. By default, when you select a new term, it will be AND'd with the previous term. This again can be toggled to use the OR operator instead.

SearchBuilder is yet another tool to improve the intelligence being gathered from this tool. Please feel free to email me with improvements or suggestions.